During an initial discussion about a penetration test, it is important to define the information basis together with the customer. The information basis determines which information we, as independent testers, receive in advance from the customer about the systems to be tested. Generally, a distinction is made between the black box, white box, and grey box methodologies. Below, we explain the differences between these approaches.
Black Box
With the black box methodology, the pentester receives only basic information, for example IP addresses or hostnames of the objects to be tested. They have neither documentation nor system access. This simulates an attack by an external attacker who has no insider knowledge and must first gather all required information during the test.
White Box
In a white box test, the pentester receives extensive information about the target object. This can include, for example, an application’s source code, detailed infrastructure documentation, or accounts with administrative permissions. This methodology simulates the perspective of a potential insider or developer. White box testing is the most comprehensive and time-consuming methodology, because pre-disclosure of all relevant information maximizes the scope of possible tests.
Grey Box
The grey box approach is a combination of the two other methods. In this case, the pentester already has basic knowledge of the infrastructure or application. A common scenario would be access to a web application with user privileges, or testing internal network infrastructures using topology plans and corresponding documentation of active network components.
The grey box approach is the most commonly used method and is also what we recommend. Its advantage is that the focus can be defined jointly with the customer on specific functionalities of an application or system. The pentester can then concentrate specifically on the defined systems and analyze them in a targeted way. In the black box approach, extensive reconnaissance is first required to gather information about the target. Because of the additional effort involved in information gathering, less time remains for deeper testing, which may result in important functions remaining untested. Contact us and we will find the right penetration testing methodology together with you.